Activate mixed content blocking
I'm informed that HTTPS-Everywhere has likely disabled any rules that break with mixed content blocking for active content, as suggested in https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c20. So I think we should activate MCB (set "security.mixed_content.block_active_content" to true). It seems dangerous to have it disabled, and Firefox's default value is true as well.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information